I am writing trigger condition for user created and deleted within 10 mn. Below is condition , but it is giving
compile error
{“script”:{ “lang”: “painless”,
“source”: “def removes=ctx.payload.aggregations.event_id.buckets.remove.users.buckets.stream().map(p → p.key).collect(Collectors.toList()); return ctx.payload.aggregations.event_id.buckets.add.users.buckets.stream().map(p → p.key).filter(p → removes.contains(p)).toArray().length > 0;”
}}
Hi Yogesh,
Please refer to:
The monitor query response should be accessed using ctx.results[0] instead of ctx.payload
Thanks,
Drew
Hi,
I want to write a condition where it will check count for each host and not total
So instead of this
ctx.results[0].hits.total.value > 400
I need to access doc_count
something like the following:
ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400
But the above throw error:
{
"type" : "script_exception",
"reason" : "runtime error",
"script_stack" : [
"ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
" ^---- HERE"
],
"script" : "ctx.results[0].aggregations.group_by_host.buckets.doc_count > 400",
"lang" : "painless",
"caused_by" : {
"type" : "illegal_argument_exception",
"reason" : "Illegal list shortcut value [doc_count]."
}
}
Following is the response from extraction query which i am using for trigger action how can i access doc_count which i under buckets so it will only qualify
{
"_shards": {
"total": 198,
"failed": 0,
"successful": 198,
"skipped": 52
},
"hits": {
"hits": [],
"total": {
"value": 496,
"relation": "eq"
},
"max_score": null
},
"took": 11,
"timed_out": false,
"aggregations": {
"group_by_host": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 494,
"key": "Computer1"
},
{
"doc_count": 2,
"key": "Computer2"
}
]
},
"event_count": {
"value": 496
}
}
}
I’ve run into this issue and im still working it but I know that because the buckets are in an array like the results you have to include that array in your source like the [0] here referencing the first item in the array. What I am trying to figure out is how to match that against all buckets.
ctx.results[0].aggregations.group_by_host.buckets[0].doc_count
Hi @cbanaszak,
Am I understanding correctly that in your trigger condition you would like to loop over all values in ctx.results[0].aggregations.group_by_host.buckets? If so you can do this by using the .size() so something like:
for (int i = 0; i < ctx.results[0].aggregations.group_by_host.buckets.size(); i++) {
// bucket values can be accessed via: ctx.results[0].aggregations.group_by_host.buckets[i].doc_count
// for example.
}
buckets is an array, so something like this works:
ctx.results[0].aggregations.group_by_host.buckets[0].doc_count > 400
i dont think that the real problem is solved here. problem is how to check if any buckets in the bucket list is triggers the condition. @lucaswin-amzn sadly your for loop does not work on Opendistro.
Creating a trigger based on the first bucket won’t be effective i think because i may have several buckets and maybe the last bucket exceeds the threshold.
I tried writing the trigger condition in same format as suggested but getting error:
My monitor output:
{
"_shards": {
"total": 1,
"failed": 0,
"successful": 1,
"skipped": 0
},
"hits": {
"hits": [],
"total": {
"value": 23,
"relation": "eq"
},
"max_score": null
},
"took": 26,
"timed_out": false,
"aggregations": {
"data_aggs_interval": {
"buckets": [
{
"key_as_string": "2022-11-24T00:00:00.000Z",
"doc_count": 8,
"tag_names": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 2,
"buckets": [
{
"doc_count": 3,
"metrics": {
"value": 3000
},
"key": "I_DRV155_CFB"
},
{
"doc_count": 3,
"metrics": {
"value": 197
},
"key": "M_E2MDD_CFB"
}
]
},
"key": 1669248000000
},
{
"key_as_string": "2022-12-04T00:00:00.000Z",
"doc_count": 15,
"tag_names": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 1,
"buckets": [
{
"doc_count": 10,
"metrics": {
"value": 197
},
"key": "M_E2MDD_CFB"
},
{
"doc_count": 4,
"metrics": {
"value": 197
},
"key": "I_RM3201_RTD_08"
}
]
},
"key": 1670112000000
}
]
}
}
}
If I try to access first bucket, the trigger condition is working:
First bucket trigger condition:
return ctx.results[0].aggregations.data_aggs_interval.buckets[0].tag_names.buckets[0].metrics.value == null ? false:
(ctx.results[0].aggregations.data_aggs_interval.buckets[0].tag_names.buckets[0].metrics.value >= 3000 &&
ctx.results[0].aggregations.data_aggs_interval.buckets[0].tag_names.buckets[0].key == "I_DRV155_CFB")
Using loops , it can be achieved as below.
For loop trigger condition:
int score = 0;
for (int i = 0; i < ctx.results[0].aggregations.data_aggs_interval.buckets.size(); i++)
{
if (ctx.results[0].aggregations.data_aggs_interval.buckets[i].tag_names.buckets[i].metrics.value == null ? false:
ctx.results[0].aggregations.data_aggs_interval.buckets[i].tag_names.buckets[i].metrics.value >= 3000 &&
ctx.results[0].aggregations.data_aggs_interval.buckets[i].tag_names.buckets[i].key == "I_DRV155_CFB")
{
score += 10;
}
}
if (score > 0) {
return true;
} else {
return false;
}